20 Critical Controls—Recommended Defenses Against Data Breaches


Last week wiredFINANCE looked at the data breaches Verizon had turned up in its latest data breach investigation. Often you don't even realize your data has been compromised until the data is being misused, and not always even then.

If you needed any reinforcement of those findings, IBM just released its mid-year X-Force Trend and Risk Report. It turns out that public and private organizations around the world faced increasingly sophisticated, customized IT security threats in 2011. The report documents a rapidly changing security landscape characterized by high-profile attacks, growing mobile vulnerabilities, and more sophisticated threats, such as whaling, which is a form of phishing attack that focuses on a small targeted group within an organization. Phishing attacks spoof the intended victims' trusted websites for the purpose of deceiving them into giving up valuable data.

The IBM X-Force team serves as the eyes and ears for thousands of IBM clients – studying security attack techniques and creating defenses before many vulnerabilities are even announced. You can access the latest X-Force report here. One way to counter these threats is through the 20 Critical Controls strategy.

The SANS Institute, which describes itself as a cooperative research and education organization, is behind the 20 Critical Security Controls, which already is being used in government agencies and other large enterprises. The idea is to focus on the key controls that block known attacks. Since June 1 the Critical Controls have become the central security strategy across government. You can find the 20 Critical Controls here.

The purpose is to allow those responsible for compliance and security to agree, possibly for the first time, on what needs to be done to make systems safer. The controls came out of a consortium under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and penetration testers that serve the banking and critical infrastructure communities.

Key to implementing these controls is automation, which entails a significant technology investment but has been shown to lower the cost of security while improving its effectiveness. Here's the list:

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

5. Boundary Defense

6. Maintenance, Monitoring, and Analysis of Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based on the Need to Know

10. Continuous Vulnerability Assessment and Remediation

11. Account Monitoring and Control

12. Malware Defenses

13. Limitation and Control of Network Ports, Protocols, and Services

14. Wireless Device Control

15. Data Loss Prevention

The five additional controls below are important but cannot be fully automatically or continuously monitored to the same degree as the controls above.

1. Secure Network Engineering

2. Penetration Tests and Red Team Exercises

3. Incident Response Capability

4. Data Recovery Capability

5. Security Skills Assessment and Appropriate Training to Fill Gaps

Do the Critical Controls work? It's not foolproof but SANS reports that one large US agency has already demonstrated more than 94% reduction in measured security risk through the rigorous automation and measurement of the 20 Controls.

Discuss this Blog Entry 0

Post new comment
or to use your Business Finance ID
What's wiredFINANCE?

wiredFINANCE provides the Business Finance community with reporting and commentary on IT-finance related issues.

Blog Archive